使用Oauth服务器/客户端进行Ember身份验证

Question

I am trying to design the authentication flow of an Ember application with a Rails backend. I basically want to authenticate users via Google/Facebook/etc., I do not want to provide an 'independent' authentication service. I do want to maintain a list of users of course on the server side, potentially merging different authentications from different sources into the same user. I will not interact on behalf of the user on Google/Facebook from the client side, but I will do that on the server side.

For the above reason I was planning to do the following:

1. I will use torii to fetch an auth_token on the client side and I will pass that onto the server side, where I will validate it, convert it into an access token.

2. I will generate a custom token on the server side which I will send back to the client and require all further API calls to be accompanied by that token. I will not share the access token with the client at all.

Would you say that this is an optimal flow?

In terms of implementation, I have been able to get auth_tokens from the different providers using the example here . I am completely unsure however:

• if I need ember-simple-auth or only torii (how do these two complement each other?)

• how do I pass the auth token to the server side? With the code below I can get the auth token, but is this the proper place to implement the call to the API?

   export default Ember.Route.extend({ actions: { googleLogin: function() { var _this = this; this.get('session').authenticate('simple-auth-authenticator:torii', 'google-oauth2').then( function() {console.log(_this.get('session.secure.authorizationCode'));} ); return; }, facebookLogin: function() { this.get('session').authenticate('simple-auth-authenticator:torii', 'facebook-oauth2'); return; } } }); 

• how do I make all further requests to the API to be accompanied by a specific token?

• should I use devise on the server side to make it easier or not?

Answer 1

I have been implemented exactly the same kind of workflow. I used ember-simple-auth with ember-simple-auth-torii and implemented a custom authenticator to achieve this goal.

Ember-simple-auth provides an example of a custom authenticator here .

Your custom authenticator implementation will look like the following

• First get auth_token using torii
• Then valid this auth_token against your backend in order to get your custom token

Your authenticate callback in your custom authenticator will basically look like the following :

authenticate: function(provider, options) {
    var self = this;

    return new Ember.RSVP.Promise(function(resolve, reject) {
        self.torii.open(provider, options || {}).then(function(data) {

            var endpoint = '/token'; // Your API endpoint used to get your cutom token
            var dataToSend = { // Data sent to your endpoint
                grant_type: 'authorization_code',
                code: data.accessToken,
                access_token: data.accessToken
            };
            $.post(endpoint, dataToSend).done(function(response) {
                response.provider = provider;
                resolve(data);
            }).fail(function(response) {
                response.provider = provider;
                reject(data);
            })
        }, reject)

    })
}

Once you have the custom authenticator initilized you can use it this way on your controllers :

   this.get('session').authenticate(
    'authenticator:customauthenticator', // Or wathever name you gave
    'facebook-connect' // Any compatible torii provider
).then(function(user) {
    console.log(user); // Will display ajax response from your endpoint
})

Finally, if you want your custom token to be automatically sent with all ajax request, you can use the ember-simple-auth oauth2-bearer authorizer.